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The European Data Protection Board (EDPB) is an independent 
European body, established by the General Data Protection 
Regulation (GDPR), which aims to ensure the consistent 
application of data protection rules across the European 
Economic Area (EEA). It achieves this aim by promoting 
cooperation between national Supervisory Authorities 
(SAs) and issuing general, EEA-wide guidance regarding the 


interpretation and application of data protection rules. 


The EDPB comprises the Heads of the EU SAs and the 
European Data Protection Supervisor (EDPS). The European 
Commission and - with regard to GDPR-related matters - the 
European Free Trade Association Surveillance Authority - 
have the right to participate in the activities and meetings of 
the EDPB without voting rights. The SAs of the EEA countries 
(Iceland, Liechtenstein and Norway) are also members of the 
EDPB, although they do not hold the right to vote. The EDPB is 


based in Brussels. 


The EDPB has a Secretariat, which is provided by the EDPS. 
A Memorandum of Understanding determines the terms of 


cooperation between the EDPB and the EDPS. 


1. 2020 HIGHLIGHTS 


1.1. Contribution of the EDPB to 
the evaluation of the GDPR 


In February 2020, the EDPB and national Supervisory Authorities 
(SAs) contributed to the European Commission's evaluation 
and review of the GDPR, as required by Art. 97 GDPR. 


The EDPB considers that the GDPR has strengthened data 
protection as a fundamental right and harmonised the 
interpretation of data protection principles. Data subject rights 
have been reinforced and data subjects are increasingly aware 
of the modalities to exercise their data protection rights. 
The GDPR also contributes to an increased global visibility 
of the EU legal framework and is being considered a role 
model outside of the EU. In its report, the EDPB states that it 
believes that the GDPR's application has been successful, but 
acknowledges that a number of challenges still remain. For 


example, insufficient resources for SAs are still a concern, as 





are inconsistencies т national procedures that have an impact 


on the cooperation mechanism between SAs. 


Despite these challenges, the EDPB is convinced that ongoing 
cooperation between SAs will facilitate a common data 


protection culture and establish consistent practices. 


Furthermore, the EDPB believes it is premature to revise the 
GDPR. 


1.2. Issues relating to 
COVID-19 responses 


During the COVID-19 pandemic, EEA Member States began 
taking measures to monitor, contain and mitigate the spread of 
the virus. Many of these measures involved the processing of 
personal data, such as contact-tracing apps, the use of location 
data or the processing of health data for research purposes. 
As such, the EDPB provided guidance on how to process 
personal data in the context of the COVID-19 pandemic. During 
this period, the EDPB also responded to letters from Members 
of the European Parliament asking for further clarifications on 
COVID-19-related matters. 


1.3. International personal data flows 
after the Schrems Il judgment 


On 16 July 2020, the Court of Justice of the EU (CJEU) released 
its judgmentin Case C-311/18 (Schrems II). The CJEU examined 
two mechanisms that allow personal data transfers from the 
EEA to non-EEA countries (third countries), namely, the EU-U.S. 
Privacy Shield and Standard Contractual Clauses (SCCs). The 
CJEU invalidated the adequacy decision underlying the EU- 
U.S. Privacy Shield, thereby rendering it invalid as a transfer 
mechanism. It also ruled that the European Commission's 
Decision 2010/87 on SCCs for the transfer of personal data to 
third country processors is valid, so SCCs may still be used to 


enable international data transfers. This is upon the condition 
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that the exporter (if needed, with the help of the importer), 
assesses, prior to the transfer, the level of protection afforded 
in the context of such transfers, taking into consideration both 
the SCCs and the relevant aspects of the legal system of the 
importer's country, as regards any access to the data by that 
third country’s public authorities. The factors to be considered 
for this assessment are those set out, in a non-exhaustive 
manner, in Art. 45(2) GDPR. 


The judgment has wide-ranging implications for EEA-based 
entities that use these mechanisms to enable personal data 
transfers to the U.S. and other third countries. Accordingly, the 
EDPB issued multiple guidance documents, include a list of 
FAQs and some Recommendations, on the judgment and its 


implementation. 


1.4. First Art. 65 GDPR binding decision 


On 9 November 2020, the EDPB adopted its first dispute 
resolution decision on the basis of Art. 65 GDPR. The binding 
decision addressed the dispute that arose after the Irish SA, 
acting as Lead SA, issued a draft decision regarding Twitter 
International Company and the subsequent relevant and 


reasoned objections expressed by a few Concerned SAs. 


2. EUROPEAN DATA PROTECTION 
BOARD - ACTIVITIES IN 2020 


In 2020, the EDPB adopted 10 Guidelines on topics such 
the concepts of controller and processor; and targeting of 
social media users, and a further three Guidelines that were 
adopted after public consultation. The EDPB also issued two 


Recommendations. 


The EDPB also oversaw procedures relating to consistency 
activities to clarify the process and aiming to ensure its 
efficiency for the SAs. In 2020, the EDPB issued 32 Opinions 
under Art. 64 GDPR. Most of these Opinions concerned draft 


accreditation requirements for а code of conduct monitoring 
body or a certification body, as well as Controller Binding 


Corporate Rules for various companies. 


di SUPERVISORY AUTHORITY 
ACTIVITIES IN 2020 


National Supervisory Authorities (SAs) are independent public 
authorities that monitor the application of data protection law. 
SAs play a key role in safeguarding individuals’ data protection 


rights. They can do this through exercising corrective powers. 


The EDPB website includes a selection of SA supervisory 


actions relating to GDPR enforcement at national level. 


The EDPB published a register of decisions taken by national 
SAs in line with the One-Stop-Shop cooperation procedure (Art. 
60 GDPR) on its website. 


3.1 Cross-border cooperation 


The GDPR requires the EEA SAs to cooperate closely to ensure 
the consistent application of the GDPR and protection of 
individuals’ data protection rights across the EEA. One of their 
tasks is to coordinate decision-making in cross-border data 


processing cases. 


Between 1 January and 31 December 2020, there were 
628 cross-border cases out of which 461 originated from a 
complaint, while 167 had other origins, such as investigations, 


legal obligations and/or media reports. 
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The One-Stop-Shop mechanism demands cooperation 
between the Lead Supervisory Authority (LSA) and the 
Concerned Supervisory Authorities (CSAs). The LSA leads the 
investigation and plays a key role in the process of reaching 
consensus between the CSAs, in addition to working towards 
reaching a coordinated decision about the data controller or 
processor. Between 1 January 2020 and 31 December 2020, 
there were 203 draft decisions, from which resulted 93 final 


decisions that are published in a public register. 


The mutual assistance procedure allows SAs to ask for 
information from other SAs or to request other measures 
for effective cooperation, such as prior authorisations or 
investigations. Between 1 January 2020 and 31 December 
2020, SAs initiated 246 formal mutual assistance procedures. 
They initiated 2,258 informal such procedures. Mutual 
assistance is also used by the SAs asking the competent SA 
to handle complaints they have received that do not relate to 


cross-border processing as defined by the GDPR. 


4. STAKEHOLDER CONSULTATION 
AND TRANSPARENCY 


During the COVID-19 pandemic, the EDPB responded to 
letters from Members of the European Parliament asking for 
further clarifications on COVID-19-related matters. The EDPB 
organised a stakeholder event on the concept of legitimate 
interest to gather input and views on this specific issue in the 


interest of developing future guidance. 


Following the preliminary adoption of Guidelines, the EDPB 
organises public consultations to give stakeholders and 
citizens the opportunity to provide additional input, which is 
then considered in the subsequent drafting process. In 2020, 


the EDPB launched and completed seven such consultations. 


For the third year in a row, the EDPB conducted a survey as part 
of the annual review of the EDPB's activities under Art. 71(2) 


GDPR. Questions centred on the EDPB's work and output in 





2020, with a focus оп its Guidelines and Recommendations, all 
with a view to understanding the extent to which stakeholders 
find the EDPB’s guidance helpful in interpreting the GDPR's 
provisions, and in order to identify future paths to better 
support individuals and organisations as they approach data 


protection. 
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5. STRATEGY AND 
OBJECTIVES FOR 2021 


The EDPB defined its Strategy for 2021-2023, which covers the 
four main pillars of its strategic objectives, as well as a set of 
three key actions per pillar to help achieve these objectives. In 
early 2021, the EDPB adopted its two-year work programme 
for 2021-2022, according to Art. 29 of the EDPB Rules of 
Procedure. The work programme follows the priorities set 
out in the EDPB 2021-2023 Strategy and will put the EDPB's 


strategic objectives into practice. 
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